A complete IT onboarding process ensures new employees have everything they need on day one: a working device, active accounts, proper access to the tools they'll use, and clear instructions for getting help. Scrambling to set things up after they arrive wastes their time, frustrates their manager, and makes your business look disorganized. This guide walks through every step, from two weeks before the start date through the day-one handoff, so nothing falls through the cracks.
When to Start: Timeline
IT onboarding doesn't begin on the new hire's first day. It starts the moment HR confirms the hire.
1 to 2 weeks before the start date. Order hardware if you don't have a spare available. Create the employee's Microsoft 365 account and email address. Request access to business applications. If you're working with a managed IT provider, notify them of the incoming hire with the employee's name, role, start date, and the applications they'll need.
2 to 3 days before. Configure the device. Install software. Test everything. Verify that email works, that the employee can access the files and applications they need, and that printers and peripherals function correctly. This testing step is the difference between a smooth first day and an embarrassing one.
Day before. Final verification. Confirm credentials are ready. Prepare any welcome materials or documentation the employee will receive. Set temporary passwords that will require a change on first login.
Day of. Hand off the device. Walk through key systems. Introduce the IT support contact. Verify everything works in the employee's hands, not just on the IT bench.
Hardware and Devices
Start with the physical equipment the employee will use every day.
Order or allocate a laptop or desktop that meets the requirements for the role. Standard office work (email, documents, web browsing, video calls) requires a machine with at least 16 GB of RAM, an SSD, and a current-generation processor. Roles involving design, data analysis, or video editing may need higher specs. Confirm with the hiring manager before ordering.
Order a monitor, keyboard, mouse, and headset if the employee will work from an office. For remote employees, decide whether you're providing these items or offering a stipend. Consistency matters here; every employee should have the equipment they need to do their job without making do.
If the role requires a desk phone, order it and coordinate with your phone system provider to assign an extension or number. For businesses using Microsoft Teams Phone, this is configured in the Teams admin center and doesn't require separate hardware unless the employee prefers a physical handset.
Asset tag every piece of equipment and record serial numbers in your inventory. This takes five minutes per device and saves hours of confusion when it's time to track down equipment during offboarding.
Accounts and Licenses
Create the employee's Microsoft 365 account with the appropriate license. If your business runs Microsoft 365 Business Premium (which includes Intune, Defender for Business, and Entra ID with Conditional Access), assign that license so the employee gets the full security stack from day one. Set up their email address following your company's naming convention, typically firstname.lastname@company.com.
Create accounts in every business application the employee will use: CRM, accounting software, project management tools, practice management system, and anything else relevant to their role. Don't wait until they ask; have these ready before they arrive.
Set up a 1Password account for the employee and add them to the appropriate shared vaults. Shared vaults give new hires immediate access to the credentials they need, such as shared service logins and vendor portals, without anyone having to send passwords over email or chat. If your business uses Athencia One Complete, 1Password is included in your per-user fee.
Create VPN credentials if the employee needs remote access to on-premises resources. Set temporary passwords for all accounts that require the employee to change their password on first login. Never email passwords in plain text. Use your password manager's secure sharing feature or provide them verbally during the day-one walkthrough.
Access and Permissions
Add the employee to the correct Microsoft 365 groups and distribution lists based on their role. Grant access to relevant SharePoint sites and shared drives. Add them to the Teams channels they'll participate in. Set up shared mailbox access if they need it (for example, if they'll be monitoring info@ or support@).
Grant access to printers and networked devices. Add them to the company directory and phone system.
Apply the principle of least privilege: grant only the access needed for the employee's role, nothing more. It's much easier to add permissions later when a need arises than to audit and remove excessive access after the fact. If your business uses Entra ID with Conditional Access policies, new employees automatically inherit the access controls that apply to their group memberships, including MFA requirements, device compliance checks, and location-based restrictions.
Device Configuration
This is the most time-consuming step, and it's also the one that benefits most from automation.
If your business uses Microsoft 365 Business Premium with Intune and Autopilot, most of this setup happens automatically. Register the new laptop's hardware ID with your Microsoft tenant, and when the employee powers it on and signs in with their new Microsoft 365 credentials, all company policies, apps (including 1Password and Microsoft Teams), and security settings deploy without anyone touching the machine. The employee gets a fully configured, secured laptop by simply signing in. This is how Athencia provisions devices for its managed IT clients.
If you're configuring manually, here's the full checklist. Complete Windows setup and join the device to Entra ID (or your identity system). Install all pending Windows updates. Enable BitLocker drive encryption to protect data if the laptop is lost or stolen. Install endpoint protection; if you're using Microsoft 365 Business Premium, Defender for Business is included and should be configured via Intune policies.
Install Microsoft 365 apps: Outlook, Teams, Word, Excel, PowerPoint, and OneNote. Install any business applications specific to the employee's role. Install and configure 1Password or your password manager. Install the VPN client if needed. Connect printers. Configure OneDrive sync so the employee's files are automatically backed up to the cloud. Set security policies including screen lock timeout (5 minutes is a reasonable default) and automatic update settings.
Email and Communication
Configure Outlook with the employee's mailbox and verify that sending and receiving works. Set up their email signature following the company template. Add them to relevant distribution lists so they receive team and company-wide communications.
Set up Microsoft Teams and verify that audio and video work correctly. A quick test call catches hardware or driver issues before the employee's first meeting with a client.
Add the employee to the company phone system. If you use Teams Phone, assign a phone number in the Teams admin center. Share the IT support contact information and explain how to submit help requests, whether that's an email address, a support portal, or a phone number.
Security
Security setup is not optional and should not be deferred to "sometime during the first week."
Enable multi-factor authentication on the employee's Microsoft 365 account before they sign in for the first time. Walk them through the MFA setup process during the day-one handoff, which involves installing the Microsoft Authenticator app on their phone and registering it with their account. This takes about three minutes and is the single most effective thing you can do to prevent account compromise.
Provide the initial password securely. Do not email it, do not write it on a sticky note, and do not put it in a Teams message. Use 1Password's secure sharing feature or provide it verbally during the in-person handoff.
Schedule security awareness training. Whether you use an internal program or a platform like Huntress (which bundles security awareness training with its managed EDR), new employees should complete their first training module within their first two weeks. Phishing attacks target new hires because they're less familiar with company communication patterns.
Review the company password policy and acceptable use policy with the employee. Have them sign an acknowledgment that they've read and understood both documents.
Documentation to Provide
Give the new employee a simple reference document (one page is plenty) that covers the essentials. Include IT support contact information: who to call, how to submit a ticket, and the process for emergency support. Provide a quick start guide covering how to access email, files, Teams, VPN, and printers. Include password policy instructions and a brief guide to using 1Password. Attach or link to the acceptable use policy. Provide Wi-Fi credentials for the business and guest networks.
Store this documentation somewhere the employee can find it later, like a SharePoint page or an internal wiki. First-day information overload is real; they'll need to reference it again.
Day-One Walkthrough
The final step is a hands-on walkthrough with the employee. Hand over the device and verify they can sign in. Walk through email, Teams, and file access. Verify printer access works. Show them where to find IT help and how to contact support.
Verify that MFA is set up and working on their phone. Walk through the password manager and make sure they can access the shared vaults assigned to them. Answer their questions and confirm everything works. This walkthrough typically takes 20 to 30 minutes and prevents a flood of "how do I..." tickets in the first week.
Onboarding Checklist Summary
Use this as a quick reference for every new hire.
- Hardware ordered, configured, and tested
- Microsoft 365 account created with correct license (Business Premium)
- Business application accounts created
- 1Password account set up with appropriate shared vault access
- Appropriate group memberships and permissions assigned
- Device fully configured with security settings, software, and policies
- Email, Teams, and phone configured and tested
- MFA enabled and verified
- Security awareness training scheduled
- IT documentation and policies provided
- Day-one walkthrough completed
Need Help?
Getting onboarding right sets the tone for a new employee's experience and protects your business from day one. If you need help building a repeatable onboarding process or want to streamline device provisioning with Autopilot, contact Athencia. We do this every day.
